Converting DER encoded unsigned CSR to internal OpenSSL format

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Converting DER encoded unsigned CSR to internal OpenSSL format

Peter P.
Hi,
I'm writing an application using Openssl 1.0.2d where I am trying to take a DER encoded unsigned CSR and read it into an X509_REQ data structure via the d2i_X509_REQ_bio() function. This function errors out during when I attempt to read in my unsigned CSR and I would like to know if there is any other way to read in an unsigned CSR into an X509_REQ data structure.

Thank you,

Peter 

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Converting DER encoded unsigned CSR to internal OpenSSL format

Dr. Stephen Henson
On Mon, Nov 09, 2015, Peter P. wrote:

> Hi,
> I'm writing an application using Openssl 1.0.2d where I am trying to take a
> DER encoded unsigned CSR and read it into an X509_REQ data structure via
> the d2i_X509_REQ_bio() function. This function errors out during when I
> attempt to read in my unsigned CSR and I would like to know if there is any
> other way to read in an unsigned CSR into an X509_REQ data structure.
>

The signature on a CSR is mandatory so if it is not present it isn't a valid
CSR structure any more: that will cause the parser to reject it.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Converting DER encoded unsigned CSR to internal OpenSSL format

Peter P.
Hi Dr. Henson,

Thank you for your reply. To work around this issue in my application, I have considered attempting to re-sign an already signed CSR. Is this possible with OpenSSL?

Thank you again,

Peter

On Tue, Nov 10, 2015 at 9:18 AM, Dr. Stephen Henson <[hidden email]> wrote:
On Mon, Nov 09, 2015, Peter P. wrote:

> Hi,
> I'm writing an application using Openssl 1.0.2d where I am trying to take a
> DER encoded unsigned CSR and read it into an X509_REQ data structure via
> the d2i_X509_REQ_bio() function. This function errors out during when I
> attempt to read in my unsigned CSR and I would like to know if there is any
> other way to read in an unsigned CSR into an X509_REQ data structure.
>

The signature on a CSR is mandatory so if it is not present it isn't a valid
CSR structure any more: that will cause the parser to reject it.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Converting DER encoded unsigned CSR to internal OpenSSL format

Wim Lewis-3
In reply to this post by Peter P.

On Nov 9, 2015, at 3:46 PM, Peter P. <[hidden email]> wrote:
> I'm writing an application using Openssl 1.0.2d where I am trying to take a DER encoded unsigned CSR and read it into an X509_REQ data structure via the d2i_X509_REQ_bio() function. This function errors out during when I attempt to read in my unsigned CSR and I would like to know if there is any other way to read in an unsigned CSR into an X509_REQ data structure.

A CSR (from PKCS#10 / RFC2986) has the structure:

   SEQUENCE { CertificationRequestInfo, AlgorithmIdentifier, BIT STRING }

where the actual request is the CertificationRequestInfo, and the signature is composed of the AlgorithmIdentifier + BIT STRING.

Are you trying to just read in a bare CertificationRequestInfo structure? I suspect you can do that with a call like

    ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_REQ_INFO), bp, req)

which is the same as the body of d2i_X509_REQ_bio(), but with X509_REQ replaced by X509_REQ_INFO. I haven't tried it, though.

(Whether it's a *good idea* to pass bare CSR info structs around is another question but I'll leave that up to you.)


Wim.

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Converting DER encoded unsigned CSR to internal OpenSSL format

Peter P.
Hi Wim,

I'll give this a shot, thank you for the suggestion!

-Peter 

On Wed, Nov 11, 2015 at 5:05 PM, Wim Lewis <[hidden email]> wrote:

On Nov 9, 2015, at 3:46 PM, Peter P. <[hidden email]> wrote:
> I'm writing an application using Openssl 1.0.2d where I am trying to take a DER encoded unsigned CSR and read it into an X509_REQ data structure via the d2i_X509_REQ_bio() function. This function errors out during when I attempt to read in my unsigned CSR and I would like to know if there is any other way to read in an unsigned CSR into an X509_REQ data structure.

A CSR (from PKCS#10 / RFC2986) has the structure:

   SEQUENCE { CertificationRequestInfo, AlgorithmIdentifier, BIT STRING }

where the actual request is the CertificationRequestInfo, and the signature is composed of the AlgorithmIdentifier + BIT STRING.

Are you trying to just read in a bare CertificationRequestInfo structure? I suspect you can do that with a call like

    ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_REQ_INFO), bp, req)

which is the same as the body of d2i_X509_REQ_bio(), but with X509_REQ replaced by X509_REQ_INFO. I haven't tried it, though.

(Whether it's a *good idea* to pass bare CSR info structs around is another question but I'll leave that up to you.)


Wim.

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users